diff --git a/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/ipc_helpers.hpp b/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/ipc_helpers.hpp
index fcb5853731..8a5a001971 100644
--- a/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/ipc_helpers.hpp
+++ b/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/ipc_helpers.hpp
@@ -1,14 +1,12 @@
 #pragma once
 
 #include <eosio/chain/webassembly/eos-vm-oc/ipc_protocol.hpp>
+#include <eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp>
 
 #include <boost/asio/local/datagram_protocol.hpp>
 
 #include <vector>
 
-#include <sys/syscall.h>
-#include <linux/memfd.h>
-
 namespace eosio { namespace chain { namespace eosvmoc {
 
 class wrapped_fd {
@@ -54,7 +52,7 @@ bool write_message_with_fds(int fd_to_send_to, const eosvmoc_message& message, c
 
 template<typename T>
 wrapped_fd memfd_for_bytearray(const T& bytes) {
-   int fd = syscall(SYS_memfd_create, "eosvmoc_code", MFD_CLOEXEC);
+   int fd = exec_sealed_memfd_create("eosvmoc_code");
    FC_ASSERT(fd >= 0, "Failed to create memfd");
    FC_ASSERT(ftruncate(fd, bytes.size()) == 0, "failed to grow memfd");
    if(bytes.size()) {
diff --git a/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp b/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp
new file mode 100644
index 0000000000..2f6bb14c80
--- /dev/null
+++ b/libraries/chain/include/eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp
@@ -0,0 +1,21 @@
+#pragma once
+
+#include <linux/memfd.h>
+#include <sys/mman.h>
+
+namespace eosio::chain::eosvmoc {
+
+// added in glibc 2.38
+#ifndef MFD_NOEXEC_SEAL
+#define MFD_NOEXEC_SEAL 8U
+#endif
+
+inline int exec_sealed_memfd_create(const char* name) {
+   //kernels 6.3 through 6.6 by default warn when neither MFD_NOEXEC_SEAL nor MFD_EXEC are passed; optionally 6.3+
+   // may enforce MFD_NOEXEC_SEAL. Prior to 6.3 these flags will EINVAL.
+   if(int ret = memfd_create(name, MFD_CLOEXEC | MFD_NOEXEC_SEAL); ret >= 0 || errno != EINVAL)
+      return ret;
+   return memfd_create(name, MFD_CLOEXEC);
+}
+
+}
diff --git a/libraries/chain/webassembly/runtimes/eos-vm-oc/memory.cpp b/libraries/chain/webassembly/runtimes/eos-vm-oc/memory.cpp
index dd46a761af..f7516f4a50 100644
--- a/libraries/chain/webassembly/runtimes/eos-vm-oc/memory.cpp
+++ b/libraries/chain/webassembly/runtimes/eos-vm-oc/memory.cpp
@@ -1,20 +1,19 @@
 #include <eosio/chain/webassembly/eos-vm-oc/memory.hpp>
 #include <eosio/chain/webassembly/eos-vm-oc/intrinsic.hpp>
 #include <eosio/chain/webassembly/eos-vm-oc/intrinsic_mapping.hpp>
+#include <eosio/chain/webassembly/eos-vm-oc/memfd_helpers.hpp>
 
 #include <fc/scoped_exit.hpp>
 
 #include <unistd.h>
-#include <sys/syscall.h>
 #include <sys/mman.h>
-#include <linux/memfd.h>
 
 namespace eosio { namespace chain { namespace eosvmoc {
 
 memory::memory(uint64_t sliced_pages) {
    uint64_t number_slices = sliced_pages + 1;
    uint64_t wasm_memory_size = sliced_pages * wasm_constraints::wasm_page_size;
-   int fd = syscall(SYS_memfd_create, "eosvmoc_mem", MFD_CLOEXEC);
+   int fd = exec_sealed_memfd_create("eosvmoc_mem");
    FC_ASSERT(fd >= 0, "Failed to create memory memfd");
    auto cleanup_fd = fc::make_scoped_exit([&fd](){close(fd);});
    int ret = ftruncate(fd, wasm_memory_size+memory_prologue_size);